Mac OS X Security Part 2: The Mac Forensic Toolkit

Part 1 of Ryan Faas' security series discussed the processes behind investigating inappropriate or criminal activities using data forensics, including the importance of not contaminating evidence by acquiring and working with forensic-quality disk images of affected hard drives. This article moves from the basic methods for performing a forensic investigation under Mac OS X to profiling the various tools that are available to perform such investigative work.

Like this article? We recommend

Like this article? We recommend

Hardware Write Blockers

Write blockers are physical devices that attach to SCSI, IDE, and SATA hard
drives at one end and to a computer via FireWire or USB 2.0 on the other end.
Similar to external drive enclosures, write blockers have one important
additional feature: they prevent the computer from writing any data to the
drive. As discussed in part 1 of this series, one of the principal rules of
forensic investigation is to not contaminate your evidence, which even mounting
a hard drive under normal conditions with Mac OS X (and most other operating
systems) will do. While there are methods to acquire a disk image or copy of a
disk using Mac OS X without using a write blocker, those methods are not
foolproof and it is possible to accidentally mount or modify the evidentiary
drive. Write blockers ensure that you cannot contaminate the drive and offer a
way to prove that fact. They range in price from around $100 to upward of $500
depending on the features included.